>
>Attachment Converted: "c:\eudora\attach\Happy99.exe"
>
The Happy99.exe attachment was attached to this mailing list is a trojan
horse virus.
DO NOT OPEN IT!!
Delet it immediately!!
If you did open it, you are now unwittingly sending it out to everyone
that you e-mail to.
<underline><color><param>0000,0000,fefe</param>http://www.pspl.com/trojan_info/win32/happy99.htm
</color></underline>Content-Type: text/html; charset=us-ascii;
name="happy99.htm"
Content-Disposition: inline;
filename="happy99.htm"
Content-Base:
"<underline><color><param>0000,0000,fefe</param>http://www.pspl.com/trojan_info/win32/
</color></underline> happy99.htm"
Content-Location:
"<underline><color><param>0000,0000,fefe</param>http://www.pspl.com/trojan_info/win32/
</color></underline> happy99.htm"
Content-Transfer-Encoding: 7bit
<center><bold><underline><color><param>0000,0000,fefe</param><bigger><bigger><bigger>HomeProductsDownloadEmailOrder
onl-line
</bigger></bigger></bigger></color></underline><bigger><bigger><bigger>
Happy99, ska trojan virus.
</bigger></bigger></bigger></bold></center>
<bold><bigger><bigger><bigger>CIH
Virus<color><param>0000,0000,a0a0</param> <underline>Information about
the happy99, ska Trojan:
</underline></color>
</bigger></bigger></bigger></bold>
<center>Happy99 is a Win32 based Trojan program. When this program is
executed it will display some fireworks. Apart from the fireworks display
this program will do some other activity in the background without the
user's permission. In the background this program will create two files
SKA.EXE and SKA.DLL. It will alter WSOCK32.DLL to put its code into that
file and keep the original file as WSOCK32.SKA. It can not modify the
WSOCK32.DLL file if it is in use. In such a case this program will add an
entry to the Windows Registry to run SKA.EXE the next time the computer
is booted so that it can do these modifications. The size of this trojan
file is 10000 bytes.
<bold>You will not get infected by Happy99 merely by downloading the
trojan file. You will have to execute it to get infected.
</bold>
The modified WSOCK32.DLL has routines to detect the email and newsgroup
postings made by the user. It will send a copy of the SKA.EXE file
renamed as happy99.exe to every user or newsgroup to whom the user has
sends an email. Each recipient will get the email only once and the
trojan will not send repeat email to the same user. It will send a
separate email retaining the subject of the first email with the file as
an attachment. The trojan also maintains the file LISTE.SKA which
contains the list of all email addresses and newsgroups to which this
file has been sent. The unique function of this trojan is that it can
spread on its own.
Happy99 first apeared in January 1999 and it is reported to have affected
a lot of users.
<bold><bigger><bigger><bigger>win95.cih
virus<color><param>0000,0000,a0a0</param> <underline>Other names of
happy99:
</underline></color>
</bigger></bigger></bigger></bold></center>
<center>This trojan is also known as win32.ska.a, ska, wsock32.ska and
ska.exe.
<bold><bigger><bigger><bigger>cih.spacefiller<color><param>0000,0000,a0a0</param>
<underline>What is happy99? Troran, Virus or Worm?
</underline></color>
</bigger></bigger></bigger></bold></center>
<center>This program can only be classified as a Trojan. It is not a virus as it does not replicate itself. It does not attach itself any other file or program. It is also not a worm as even though it can spread on its own, it needs to be executed to get control. A worm is capable of spreading and infecting the target computer on its own. Happy99/Ska is a trojan with the capability to distribute itself.
<bold><bigger><bigger><bigger>win95.cih virus<color><param>0000,0000,a0a0</param> <underline>Removing happy99 from your computer:
</underline></color>
</bigger></bigger></bigger></bold></center>
<center>You can remove this trojan from your computer by using Protector Plus antivirus software. <bold><underline><color><param>0000,0000,fefe</param>Click here to download a 30 day Evaluation Copy of Protector Plus for your operating system.
</color></underline></bold>
You can also remove this trojan manually from your computer. To do that, first check the WINDOWS\SYTEM folder for the presence of these files.
1. SKA.EXE
2. SKA.DLL
3. WSOCK32.SKA
If you find these files then you have been attacked by the Happy99 Trojan. To remove this trojan do the following:
1. Delete SKA.EXE, SKA.DLL and WSOCK32.DLL
2. Rename WSOCK32.SKA as WSOCK32.DLL
<bold>Make sure that you have WSOCK32.SKA file before deleting WSOCK32.DLL and ensure that you have renamed this file properly. You may have to close your Browser, Email software, etc. to delete and rename the DLL files.
</bold>
You will have to use an antivirus software capable of detecting this trojan to ensure that you do not have this file anywhere in your hard disk.</center>
Jim~ McNelly
The Compost Man
Http://www.composter.com